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Abstract 

Forty years ago, Wiesner proposed using guantum 
states to create money that is physically impossible to 
counterfeit, something that cannot be done in the clas- 
sical world. However, Wiesner's scheme required a 
central bank to verify the money, and the question of 
whether there can be unclonable quantum money that 
anyone can verify has remained open since. One can 
also ask a related question, which seems to be new: 
can quantum states be used as copy-protected programs, 
which let the user evaluate some function f , but not 
create more programs for f ? 

This paper tackles both questions using the arsenal 
of modern computational complexity. Our main result 
is that there exist quantum oracles relative to which 
publicly-verifiable quantum money is possible, and any 
family of functions that cannot be efficiently learned 
from its input- output behavior can be quantumly copy- 
protected. This provides the first formal evidence that 
these tasks are achievable. The technical core of our 
result is a "Complexity- Theoretic No- Cloning Theo- 
rem," which generalizes both the standard No- Cloning 
Theorem and the optimality of Grover search, and 
might be of independent interest. Our security ar- 
gument also requires explicit constructions of quantum 
t-designs. 

Moving beyond the oracle world, we also present an 
explicit candidate scheme for publicly-verifiable quan- 
tum money, based on random stabilizer states; as well 
as two explicit schemes for copy-protecting the family 
of point functions. We do not know how to base the 
security of these schemes on any existing cryptographic 
assumption. (Note that without an oracle, we can only 
hope for security under some computational assump- 
tion.) 
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1 Introduction 

In classical physics, any information that can be 
read can be copied an unlimited number of times — 
which is why the makers of software, music CDs, and 
so on have met such severe difficulties enforcing "dig- 
ital rights management" on their products (see Hal- 
derman [14] for example). Quantum states, on the 
other hand, cannot in general be copied, since mea- 
surement is an irreversible process that destroys co- 
herence. And this immediately raises the possibil- 
ity of using quantum states as unclonable information, 
such as money or copy-protected software. The idea 
of using quantum states in this way actually predates 
quantum information as a field. In a remarkable 1970 
manuscript that first discussed the idea of quantum 
cryptography, Wiesner [25] also proposed a scheme for 
"quantum money" that a central bank can prepare and 
verify, but that is information-theoretically impossible 
for anyone other than the bank to copy. Wiesner's 
result immediately raised a question: could there be 
quantum money states that anyone can verify — that 
is, for which the authentication procedure is completely 
public — but that are still infeasible to copy? This lat- 
ter question has remained open for forty years. 

However, while the quantum money problem is fas- 
cinating by itself, it also motivates a broader problem: 
what sorts of "unclonable power" can be provided by a 
guantum state? So for example, given a Boolean func- 
tion / : {0, 1}" — > {0, 1}, one can ask: does there exist 
a quantum state \ipf) that lets its owner compute / in 
polynomial time, but does not let her efficiently pre- 
pare more states that are also useful for computing /'Q 
Such a state could be interpreted as "quantumly copy- 
protected software." Whereas in the quantum money 
problem, we wanted unclonable states that could be 
verified as authentic, in the quantum copy-protection 
problem we want unclonable states that let us do some- 
thing useful (namely, compute /). There are other 
interesting unclonable functionalities (such as identity 

1 Formally, of course, we would want a scheme that worked 
for a whole family of f's. 



cards), but in this paper, money and copy-protected 
software will be more than enough to occupy us. 

A first, crucial observation is that, if we insist on 
information-theoretic security (as provided, for exam- 
ple, by quantum key distribution), then we cannot 
hope for either quantum copy-protection or publicly- 
verifiable quantum money. The reason is simple: an 
adversary with unlimited computational power could 
loop through all possible quantum states halting 
only when it found a state with the required prop- 
erties @ Therefore, if we want these functionalities, 
we are going to have to make computational hardness 
assumptions. However, this does not by any means 
defeat the purpose — for remember that in the classi- 
cal world, the functionalities we are talking about are 
flat-out impossible, regardless of what computational 
assumptions we make. 

In our view, unclonable information remains one of 
the most striking potential applications of quantum 
mechanics to computer science. Firstly, unclonable in- 
formation would solve problems of clear, longstanding, 
and undisputed importance in the classical world — in 
the case of money that cannot be counterfeited, a prob- 
lem that people have been trying to solve for thousands 
of years. Secondly, unlike with (say) quantum cryptog- 
raphy, the problems being addressed here are ones for 
which theoretically-grounded classical alternatives sim- 
ply do not exist, because of the copyability of classical 
information^ Thirdly, as we will see, some quantum 
money proposals require no multi-qubit entanglement, 
and might therefore be technologically feasible long be- 
fore general-purpose quantum computing Q 

Given all this, it is surprising that the questions of 
unclonable quantum money and software have barely 
been taken up over the last two decades. The goal of 
this paper is to revisit these questions using the arsenal 
of modern theoretical computer science. Our main 
result (stated informally) is the following: 



2 In the copy-protection case, the property of \xf)) that we care 
about is that of "being a valid quantum program for the func- 
tion /." And even if an explicit description of / is not avail- 
able, this property can be checked using unlimited computa- 
tional power, together with polynomially many copies of j^/) 
(the "store-bought" quantum program for /). 

3 Here we are leaving aside solutions that involve repeated 
interaction with a server: we seek solutions in which the cash, 
software, etc. can be placed under the complete physical control 
of the user. 

4 On the other hand, quantum money must be protected from 
decohering, and this remains the central technological obstacle 
to realizing it. Depending on the physical substrate, right now 
qubits can be stored coherently for a few seconds or at most min- 
utes, and only in laboratory conditions. By contrast, quantum 
key distribution (QKD) requires only the transmission of coher- 
ent qubits and not their long-term storage — which is why QKD 
can be implemented even with today's technology. 



Theorem 1 There exists a quantum oracle U relative 
to which publicly-verifiable quantum money and quan- 
tum copy-protection of arbitrar^ software are possi- 
bleE 

Here a "quantum oracle," as defined by Aaronson 
and Kuperberg [3 ], is just an infinite collection of uni- 
tary operations U = {U n } n>1 that can be applied in 
a black-box fashion. Theorem [T] implies that, if quan- 
tum money and copy-protection are not possible, then 
any proof of that fact will require "quantumly non- 
relativizing techniques": techniques that are sensitive 
to the presence of a quantum oracle. Such a proof is 
almost certainly beyond present-day techniques. 

However, we also go beyond oracle results, and pro- 
pose the first explicit candidate schemes for publicly- 
verifiable quantum money and for copy-protecting the 
family of point functions. Here a "point function" is 
a Boolean function f s : {0, 1}™ — > {0, 1} such that 
f a (x) = 1 if and only if x equals some secret string 
s. Copy-protecting point functions has an interest- 
ing application for computer security: it yields a way 
to distribute a password-authentication program such 
that, not only can one not learn the password by exam- 
ining the program, one cannot even use the program to 
create additional programs with the ability to recognize 
the password. 

Our candidate quantum money scheme is based on 
random stabilizer states; the problem of counterfeiting 
the money is closely related to noisy decoding for ran- 
dom linear codes over GF2 . For copy-protecting point 
functions, we actually give two schemes: one based on 
random quantum circuits (as recently studied by Har- 
row and Low 16J), the other based on hidden sub- 
groups of the symmetric group. The key challenge, 
which we leave unresolved, is to base the security of 
our schemes on a "standard" cryptographic assumption 
(for example, the existence of pseudorandom functions 
secure against quantum attack), as opposed to the tau- 
tological assumption that our schemes are secure! 

Our results give the first complexity-theoretic ev- 
idence that quantum copy-protection and publicly- 
verifiable quantum money are indeed possible. On 
the other hand, the oracle results also help explain the 
difficulty of proving explicit schemes for these tasks se- 
cure. For as we will see, proving security in the oracle 

5 By which we mean, software that is not learnable from its 
input /output behavior using a polynomial-time quantum com- 
putation. Learnable software is impossible to copy-protect for 
trivial reasons. Our result shows that relative to an oracle, this 
is the only obstruction. 

6 For technical reasons, the copy-protection result currently 
only gives security against pirating algorithms that more than 
double the number of programs. We hope to remove this re- 
striction in the future. 
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world is already highly nontrivial! Furthermore, any 
security proof for an explicit scheme will need to include 
our oracle result as a special case — since an attack on 
an explicit scheme could always proceed by treating all 
the relevant circuits as black boxes and ignoring their 
internal structure. 

1.1 Techniques 

In proving our oracle results, perhaps the most novel 
technical ingredient is what we call the "Complexity- 
Theoretic No-Cloning Theorem" : 

Theorem 2 (Complexity-Theoretic No-Cloning) 

Let be an n-qubit pure state. Suppose we are given 
the initial state \ip)® k for some k > 1, as well as an 
oracle U^p such that U^p = — \ip) and \(f>) — \<f>) 
for all \4>) orthogonal to \ip) . Then for all i > k, to 
prepare i registers p\ , . . . , pi such that 

c 

Y^\PiW)>k + S, 

we need 



\l 2 k\ogk J 

queries to U<p. 

Intriguingly, Theorem [5] can be seen as a common 
generalization of the No-Cloning Theorem and the 
BBBV lower bound for quantum search [7]0 It re- 
duces to the No-Cloning Theorem if we ignore the or- 
acle U , and it reduces to the BBBV lower bound if we 
ignore the initial state \ip). 

The proof of Theorem[5]proceeds in two steps. First 
we lower-bound the query complexity of cloning \ tp) al- 
most perfectly, by using a generalization of Ambainis's 
quantum adversary method [4] that we design specifi- 
cally for the purpose. Next we argue that, if we could 
even clone |V) with non- negligible fidelity, then with 
polynomially more queries we could also clone \tp) al- 
most perfectly, by using a recent fixed-point quantum 
search algorithm of Grover [13j . 

We regret that, due to space limitations, we are not 
able to include a proof of Theorem [2] in this extended 
abstract. 

With Theorem [5] in hand, it is not hard to show the 
existence of a quantum oracle U relative to which a 
publicly-verifiable quantum money scheme exists. We 

7 Here by "quantum search," we mean search for an unknown 
pure state which need not be a computational basis state. 
As far as we know, this generalization of the usual Grover prob- 
lem was first studied by Farhi and Gutmann 



simply choose n-qubit quantum banknotes uniformly 
at random under the Haar measure, and then "of- 
fload" all the work of preparing and recognizing the 
banknotes onto the oracle. Theorem [5] then implies 
that, even given k = poly (n) valid banknotes, a would- 
be counterfeiter needs exponentially many queries to 
U to prepare a (k + l) st banknote. Crucially, our or- 
acle construction is "fair," in the sense that the bank, 
the customers, and the counterfeiters all have access to 
the same oracle U, and none of them have any special 
knowledge about U not shared by the others. This 
is why we believe our result merits the informal in- 
terpretation we have given it: namely, that any im- 
possibility proof for quantum money would have to be 
non-relativizing. 

Showing the existence of a quantum oracle U relative 
to which quantum copy-protection works is a harder 
problem. As in the money case, we choose n-qubit 
"quantum programs" |V/) uniformly at random under 
the Haar measure, and then define a quantum oracle 
U that is able both to prepare \ipf) given a description 
of /, and to evaluate f (x) given |V/) and x. How- 
ever, a new difficulty is that some families of Boolean 
functions T cannot be copy-protected: namely, those 
for which any / £ J can be efficiently learned using 
black-box access. Thus, our proof somehow needs to 
explain why learnability is the only obstruction. Our 
solution will be to construct a polynomial-time simula- 
tor, which takes an algorithm (in the oracle world) for 
pirating a quantum program \ipf), and converts it into 
an algorithm (with no oracle) that learns / using only 
black-box access to /. 

Among other things, the simulator needs the abil- 
ity to "mock up" its own quantum state \ip) that can 
stand in for |V/) in a simulation of the pirating algo- 
rithm, which in turn means that |<£>)® should be in- 
distinguishable from t copies of a Haar-random state 
for some fixed t = poly(n). As it turns out, pre- 
cisely this problem — the construction of explicit quan- 
tum states that behave like Haar-random states — has 
recently become a major topic in quantum computing. 
So for example, Ambainis and Emerson [5] gave an ex- 
plicit construction of approximate quantum t-designs 
for arbitrary t: that is, finite ensembles of pure states 
(Px, \<Px)) such that 

(1-e) f (|V) <Vir#<5>*d^> (<P*\f* 
Jill x 

< (1+e) f (|V) (Vlf # 

where the integrals are with respect to the Haar mea- 
sure. Our requirement is slightly different: basically, 
we need that no algorithm that receives t copies of \<p), 
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and makes T queries to an oracle that recognizes \tp), 
can decide whether \<p) was drawn from the explicit dis- 
tribution or the Haar measure. Both for that reason, 
and because our construction was independent of [5], 
in the full version of the paper we give a self-contained 
proof of the following result: 

Theorem 3 Let d be a positive integer. Then 
there exists a collection of n-qubit pure states 
{Wx)} xf z{ 01 ^(d+i) such that: 

(i) Given x as input, the state \ip x ) can be prepared in 
time polynomial in n and d. 

(ii) Let E be any quantum algorithm that receives a 
state \(p)® as input, and also makes T queries to 
a quantum oracle such that U v \ip) — — \tp) and 
Uip\4>) = 10) f or a ll \4>) orthogonal to \ip). Let 
E Qcp)) represent the probability that E accepts. 

Then provided t + 2T < min |g?/2, y/2 n /2\, we 



have 



EX 



x£{o,iy 



[E(\<P*))] 



-EX We „[EQ4>))] 



< 



4 (t + 2TY 



where fi is the Haar measure. 

For those who are curious, the explicit states in ques- 
tion are 



- r 



where p : GF (2") -> GF (2 n ) is a univariate polyno- 
mial of degree at most d that is encoded by the string 
x e {0,l} n(d+1) , and elements of GF(2") are freely 
reinterpreted as n-bit integers where relevant. 

1.2 Related Work 

Recall that quantum money was first studied by 
Wiesner [52]. In Wiesner's scheme, a central bank 
distributes "quantum banknotes," each consisting of 
a unique serial number (which is written down classi- 
cally), together with n polarized photons in the states 
|0), |1), |+) = M2, or |_) = jomi). The bank 
also stores, in a secure location, a database of all the 
serial numbers together with classical descriptions of 
the associated quantum states. Whenever a banknote 
is returned to the bank, the note can be measured (us- 
ing the secure database) to verify its authenticity. On 
the other hand, using the uncertainty principle, it is 
possible to show that, starting from k banknotes, any 



attempt to forge k + 1 banknotes that all pass the au- 
thentication test can succeed with probability at most 
(3/4)". 

Let us point out two striking advantages of Wies- 
ner's scheme. Firstly, the scheme requires only single 
coherent qubits and one-qubit measurements; there is 
no need for any entanglement. For this reason, the 
scheme might be practical long before universal quan- 
tum computing. Secondly, the security of the scheme 
is information-theoretic — guaranteed by the laws of 
quantum physics — rather than computational. 

An obvious drawback of Wiesner's scheme is its 
need for a giant secret database maintained by the 
bank. But in 1982, Bennett, Brassard, Breidbart, 
and Wiesner [8] (henceforth BBBW) showed how to 
avoid the giant database, at the cost of making the 
security of the quantum money computational rather 
than information-theoretic. In modern terms, their 
proposal was this. The bank fixes, once and for all, a 
secret random seed s. It then distributes banknotes, 
each of the form \y) \ip g ,( y )), where y € {0,1}" is a 
unique serial number for the banknote, g s : {0, 1}" — > 
{0, 1}" is a pseudorandom function, and \4>g s ( y )) is the 
state obtained by starting from g s (y), grouping the n 
bits into n/2 blocks of two, and mapping each 00 to 
|0), 01 to |1), 10 to |+), and 11 to |-). 

Using its knowledge of s, the bank can verify the au- 
thenticity of any note \y) \ipg s ( y )), by computing g s (y) 
and then measuring each qubit of \ip g ,( y )) in the ap- 
propriate basis. But suppose g s were a truly ran- 
dom function. Then by the same argument as for 
Wiesner's original scheme, given any k banknotes, no 
quantum operation could forge a (k + l) st note with 
probability more than (3/4) n/2 of passing the authen- 
tication test. This means that, if there were a quan- 
tum operation to forge high-quality banknotes, then 
that operation could be used to distinguish g s from a 
truly random function. And therefore, assuming g s is 
secure against polynomial-time quantum adversaries, 
there can be no polynomial-time quantum algorithm 
to forge banknotes that pass the authentication test 
with non-negligible probability. 

However, the BBBW scheme still has a serious draw- 
back: namely that s, which is needed for the au- 
thentication procedure, must remain a closely-guarded 
secret. And thus it would presumably be unwise, 
for example, to install the authentication devices in 
convenience-store cash registers. What we really want 
is a scheme where the procedure for authenticating the 
money is completely public, and only the procedure for 
minting the money is secret. 

Bennett et al. [8, presented a candidate for such a 
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publicly- verifiable quantum money scheme^ which was 
based on the hardness of factoring Blum integers^ Un- 
fortunately, their scheme was insecure for two reasons. 
First, we now know that factoring is in quantum poly- 
nomial time! But even were we to base the scheme 
on some other cryptographic primitive, Bennett et al. 
pointed out that it could be broken by an adversary 
who is able to make entangled measurements on all of 
the qubits in a banknote. The question of whether 
secure quantum money with public authentication is 
possible has remained open for 30 years. 

Concurrently with our work, there has been a recent 
renewal of interest in the quantum money problem. In 
his PhD thesis, Stebila [3D] provides a lucid overview 
of quantum money, and explains why our Complexity- 
Theoretic No-Cloning Theorem implies the existence of 
a quantum oracle relative to which publicly-verifiable 
quantum money is possibleP^I 

As far as we know, the idea of using quantum me- 
chanics to copy-protect software is original to this work. 

1.3 Organization 

The rest of this extended abstract is organized as 
follows. Section [5] formally defines quantum money 
and copy-protection schemes and investigates their ba- 
sic properties, and also recalls some preliminaries from 
cryptography and quantum information. Section [3] 
considers quantum money schemes: our explicit candi- 
date proposal based on random stabilizer states in Sec- 
tion 13.11 and our oracle result in Section 13.21 Section 
3] then discusses quantum copy-protection: the can- 
didate schemes for copy-protecting point functions in 
Section |4~TI and the oracle result in Section B~2"1 We 
conclude in Section [5] with a list of open problems. 
We regret that, because of space limitations, much 
of the paper's technical content (including the proof 
of the Complexity-Theoretic No-Cloning Theorem and 
the explicit construction of quantum i-designs) has had 
to be relegated to the full version. 



8 Bennett et al. described their public-key scheme in terms of 
"subway tokens" rather than money — since if we want to authen- 
ticate the tokens using single-qubit measurements only, then the 
authentication test necessarily destroys the tokens and prevents 
their reuse. On the other hand, supposing we could perform an 
entangled measurement on all n qubits in a token, it would be 
possible to authenticate the token while preserving its quantum 
coherence. For this reason, the token could be used as money. 

9 More generally, their scheme could be based on any trapdoor 
collision-resistant hash function: that is, a CRHF such that one 
can efficiently sample collision pairs using some hidden trapdoor 
information. 

10 Indeed, our original interest was in copy-protection; it was 
Stebila, along with M. Mosca, who pointed out to us the appli- 
cation to unforgcable money. 



2 Preliminaries 

For simplicity, in this paper we restrict ourselves to 
nonuniform (circuit) computation. Given two mixed 
states p and tr, the trace distance \\p — <r|| tr equals the 
maximum, over all measurements M, of the variation 
distance \\M (p) — M (a)\\ between the probability dis- 
tributions M (p) , M (a) over measurement outcomes 
obtained by applying M to p and a respectively. We 
will use the following lemma of Aaronson [I] : 

Lemma 1 ("Almost As Good As New Lemma") 

Suppose a measurement on a mixed state p yields a 
particular outcome with probability 1 — e. Then after 
the measurement, one can recover a state p such that 

l|p-p|| tr < y/e. 

See Nielsen and Chuang |17) for other quantum in- 
formation concepts used in this paper. 

In what follows, we will sometimes use the assump- 
tion that there exists a pseudorandom function family 
secure against quantum adversaries. The following 
theorem helps to justify that assumption. 

Theorem 4 Suppose there exists a one-way function 
A : {0, 1}™ — > {0, 1}" that is secure against 2" ( ' -time 
quantum adversaries. Then there also exists a family 
f s : {0,1}™ —¥ {0,1}" of pseudorandom functions, pa- 
rameterized by a seed s £ {0, l} poly (™) ; that is secure 
against 2" -time quantum adversaries. (Here A and f s 
are both computable in classical polynomial time.) 

Proof Sketch. Hastad et al. [19] showed that if 2™" ll> - 
secure one-way functions exist, then so do 2™ ( '-secure 
pseudorandom generators. Razborov and Rudich [T8] 

f2(l) 

showed that if 2™ -secure pseudorandom generators 
exist, then so do 2"-secure pseudorandom function 
families (with polynomial seed length). Since both of 
these reductions are "black-box," they go through es- 
sentially without change if the adversary is quantum. 
■ 

Interestingly, the reduction of Goldreich, Gold- 
wasser, and Micali [12], from / (n)-secure pseudoran- 
dom generators to / (n)^ 1 ^ / poly (n)-secure pseudo- 
random functions with seed length n, does not go 
through if the adversary is quantum^ We leave as an 
open problem whether a "strong," GGM-style reduc- 
tion from PRGs to PRFs can be proved in the quantum 
setting. 



11 This is because the GGM reduction makes essential use of 
the fact that a polynomial-time adversary can examine only 
poly (n) outputs of the function f s — something that is manifestly 
false if the adversary is quantum. 
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2.1 Quantum Money 

Intuitively, a public-key quantum money scheme is 
a scheme in which 

(1) quantum banknotes can be efficiently produced by 
a central bank, 

(2) there exists a polynomial-time quantum algorithm 
for authenticating the banknotes, which is com- 
pletely public, and 

(3) given as input k valid banknotes, a polynomial- 
time counterfeiter cannot produce k + 1 valid 
banknotes that have non-negligible probability of 
passing the authentication test. 

We now give a formal definition. 

Definition A quantum money scheme with key size n 
consists of the following: 

• A quantum circuit B of size 0(poly(n)) (the 
"bank"), which takes a string s g {0,1}™ (the 
"secret key") as input, and produces a classical 
string e s (the "public key")and mixed state p s 
(the "banknote" ) as outputF^I 

• A quantum circuit A of size O (poly (n)) (the "au- 
thenticator" ), which takes a string e and state p 
as input and either accepts or rejects. 

We say (B, A) has completeness error e if A (e s , p s ) 
accepts with probability at least 1 — e for all s. We 
say (B,A) has soundness error S if for all quantum 
circuits C of size O (poly (n)) (the "counterfeiter") and 
all k,r — O (poly (n)), the following holds. Assume C 
takes pf k as input, and outputs a state a s on k + r 
registers. For i e [fc + r], let a\ denote the contents 
of the i th register, and let Pi be the probability that 
A (e s , a l s ) accepts, averaged over all s £ {0, 1}™. Then 

We call (-B, A) public-key if C also receives e s as 
input, and private-key otherwise. If (£?, A) is private- 
key, we call it query-secure if C has access to an oracle 
that takes a state a as input and simulates A(e s ,a) 
(that is, accepts with the same probability and returns 
the same post- measurement state g)F^I 

12 One can of course generalize the definition to let e s be ran- 
domized or even a quantum state, and possibly correlated with 
p s as well. However, we will not need the additional freedom in 
this paper. 

13 Note that any public-key scheme is also query-secure, since 
we can hardwire a description of A into C. 



We make a few remarks on Definition 12.11 First, 
it is obvious that no money scheme exists where the 
states p s are classical^ Second, if a money scheme 
has completeness error e, it follows from Lemma Q] that 
the authentication procedure can return a banknote p s 
such that \\p s — p s \\ < i/e. This means that the same 
banknote can be verified 51 (1/ *Je) times before it needs 
to be replaced. In this paper, we will generally be 
interested in schemes with perfect completeness. 

Third, we will generally want the soundness error 8 
to be negligible (that is, o(l/p(n)) for all polynomials 
p). US is negligible, then it is easy to see that, starting 
from pf k , no polynomial-time counterfeiter C can ever 
increase its "wealth" (defined as the expected number 
of states in C's possession that A accepts) by more than 
a negligible amount in expectation. Note that this is 
true even if the states output by C are entangled; our 
definition automatically accounts for this possibility. 

We now discuss some examples. The BBBW scheme 
[8], discussed in Section [L2l is a private- key quantum 
money scheme. We therefore have the following: 

Theorem 5 (implicit in |8j) // there exists a pseu- 
dorandom function family secure against quantum ad- 
versaries, then there exists a private-key quantum 
money scheme with perfect completeness and exponen- 
tially small soundness error. 

However, the BBBW scheme is not query-secure. 
The reason is simple: given a banknote of the form 
\y) l^g^y)), a counterfeiter can learn a classical descrip- 
tion of \ipg s ( v )), by rotating each qubit i in turn while 
leaving the other n/2 — 1 qubits fixed, and repeatedly 
feeding the result to the authenticator A until it has 
ascertained the correct state of the i th qubit. This 
works because A always measures the qubits in the cor- 
rect bases, and therefore does not damage the qubits 
that are not being rotated. Of course, once the coun- 
terfeiter has learned a classical description of | -0 9s ( y ) ) , 
it can then produce as many copies of \y) \ipg s (y)) as it 
likes. 

In the full version of this paper, we will give a 
private-key quantum money scheme that is query- 
secure, assuming the existence of pseudorandom func- 
tions secure against quantum adversaries. We will also 
prove the following result, which is not entirely trivial: 



Furthermore, no query-secure scheme can exist where the 
states p s have O (log ri) qubits. For in that counterfeiter 
could reconstruct p s in polynomial time, by first generating a 
tomographically complete set of states, and then sending several 
copies of each state to A to estimate the probability that each 
one is accepted. 
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Theorem 6 Any quantum money scheme satisfying 
Definition \2.1\ (even a private-key one) must rely on 
some computational assumption. 

As mentioned in Section 11.21 Wiesner's original 
scheme [22] avoided the need for any computational 
assumption, but only by having the bank maintain a 
giant lookup table, containing a classical description 
of every banknote that has ever been issued. If we 
want to fit Wiesner's scheme into Definition 12.11 one 
way to do it is to assume that all parties have access 
to a (classical) random oracle O. For then the bank 
can use a secret part of the oracle string to generate 
the banknotes \y) \i/) y ); and to any counterfeiter who 
does not know which part of the oracle the bank is us- 
ing, the states \tp y ) will appear to be drawn uniformly 
from {|0) , |1) , |+) , |— )}". This observation gives us 
the following: 

Theorem 7 (implicit in |22j) Relative to a random 
oracle O, there exists a private-key quantum money 
scheme with perfect completeness and exponentially 
small soundness error. 

On the other hand, Wiesner's scheme is not query- 
secure, for the same reason the BBBW scheme is not. 
In the full version of this paper, we give a private-key 
quantum money scheme that is query-secure, relative 
to a random oracle O. 

In Section I3.ll we will present a candidate for a 
public-key quantum money scheme based on random 
stabilizer states, while in Section I3.2[ we will prove 
that public-key quantum money schemes exist relative 
to a quantum oracle. 

The situation is summarized in Table I2.ll 

2.2 Quantum Copy-Protection 

What if we want to distribute unclonable quantum 
states that are useful for something besides just get- 
ting authenticated? This brings us to the question of 
quantum software copy-protection. Informally, given 
a secret Boolean function / : {0, 1}" — > {0, 1} drawn 
from a known family J 7 , what we want is a quantum 
state pf that 

(1) can be efficiently prepared given a classical de- 
scription of /, 

(2) can be used to compute / (x) efficiently for any 
input x G {0, 1}™, and 

(3) cannot be efficiently used to prepare more states 
from which / can be computed in quantum poly- 
nomial time. 



It is clear that, if the function family F is efficiently 
learnable — in the sense that we can output a circuit 
for an unknown / G J- in quantum polynomial time, 
using only oracle access to / — then there is no hope 
of copy-protecting /. For in that case, being able to 
run a program for / is tantamount to being able to 
copy the program. Indeed, even if we cannot learn 
a useful classical description of / by measuring pf, it 
might still be possible to prepare additional quantum 
programs for / directly, by some quantum operation 
on pf. 

The quantum copy-protection problem might re- 
mind readers of the classical code obfuscation problem, 
and indeed there are similarities. Roughly speaking, 
we say a program P for a function / € J- is obfuscated 
if knowing P's source code is "no more useful" than 
being able to run P, in the sense that any property of 
/ that is efficiently computable given P's source code, 
is also efficiently computable given oracle access to /. 
Barak et al. [6] famously showed that there exist func- 
tion families J- that are impossible to obfuscate. On 
the other hand, Wee [H] and others have shown that, 
under strong cryptographic assumptions, it is possible 
to obfuscate point functions and several related fami- 
lies of functions. In Section |4~T| we will give proposals 
for quantumly copy-protecting point functions that are 
somewhat reminiscent of known methods for obfuscat- 
ing point functions. 

However, let us point out two differences between 
copy-protection and obfuscation. Firstly, it is trivial 
to show that copy-protection is always impossible in 
the classical world, for any function family: one does 
not need anything like the elegant argument of Barak 
et al. [6]. Secondly, as discussed before, any function 
family T that is learnable from input / output behavior 
cannot be copy-protected — but for exactly the same 
reason, T can be obfuscated! For if we can output a 
program for / e T using only oracle access to /, then 
clearly the source code of that program is no more use- 
ful than the oracle access. Thus, while unbreakable 
copy-protection has connections with obfuscation, fun- 
damentally it is a new cryptographic task, one whose 
very possibility depends on quantum mechanics. 

We now define quantum copy-protection schemes. 

Definition Consider a family T of Boolean functions 
/ : {0, 1}" — > {0, 1}, where each / 6 T is associated 
with a unique "description" dj £ {0,1}™. (Thus 
|P| < 2 m .) A quantum copy-protection scheme for 
T consists of the following: 

• A quantum circuit V of size O (poly (n, m)) (the 
"vendor"), which takes df as input and produces 
a mixed state pf as output. 
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Money Scheme 


Type 


Oracle 


Security 


States Used 


Reference 


Wiesner 


Private-key 


Random 


Unconditional 


Single qubits 


M 


BBBW 


Private-key 


None 


Assuming PRFs 


Single qubits 


m 


Modified Wiesner 


Query-secure 


Random 


Unconditional 


Haar-random 


Full version 


Modified BBBW 


Query-secure 


None 


Assuming PRFs 


Haar-random 


Full version 


Quantum Oracle 


Public-key 


Quantum 


Unconditional 


Haar-random 


This paper 


Random Stabilizers 


Public-key 


None 


Conjectured 


Stabilizer 


This paper 



Table 1. Known quantum money schemes and their properties 



• A quantum circuit C of size O (poly (n, to)) (the 
"customer"), which takes (pf,x) as input and at- 
tempts to output / (x). 

We say (V, C) has correctness parameter e if C out- 
puts / (x) with probability at least 1 — e given (pf,x) 
as input, for all / € T and x G {0, 1}". 

We say (V, C) has security 8 against a probabil- 
ity distribution V over T x {0,1}", if for all quan- 
tum circuits P and L of size O (poly (n, to)) (the "pi- 
rate" and "freeloader" respectively) and all k, r = 
O (poly (n, to)), the following holds. Assume P takes 
pj k as input, and outputs a state <jj on k + r registers. 
For i € [k + r], let crt denote the contents of the i th 
register. Also, suppose L takes (pf,x) as input and 
attempts to output / (x). Then if we run L on (ay, x) 
for all i€ [k + r], the expected number of invocations 
that output / (x), averaged over (/, x) drawn from TJ>, 
is at most k + (1 — 6) r Pl 

A few remarks on Definition 12.21 First, the secu- 
rity criterion might seem a bit strange. The basic 
motivation is that we need to ignore "trivial" pirating 
strategies, such as mapping the state p® 2 to 

1 , 

- {pf ® pf ® I + pf ® 7 ® p/ +7 <& p/ ® p/J , 

O 

which has large fidelity with pf on each of the three 
registers. On the other hand, we also do not want to 
require all k + r pirated programs to output the right 
answer simultaneously (with high probability and on 
some input x), since that criterion is too stringent even 
for legitimate programs with constant error. Looking 
at the expected number of correct answers is conve- 
nient, since by linearity of expectation, we can then 
ignore entanglement and classical correlations among 
the registers. Note that it is always possible for 
(1 — e) k + r/2 of the k + r pirated programs to get 
the right answers on average — using a pirating strategy 

15 One might also want to require a concentration inequality — 
e.g. that for all inputs x, the probability that at least k + 2r/3 
of the pirated programs output / (x) correctly decreases expo- 
nentially with r. This is a topic we leave to future work. 



that outputs the legitimate programs p® , alongside r 
programs that guess randomly on every input x. But 
ideally it should not be possible to do too much better 
than that. 

Second, a natural question is whether the state pf 
can be used more than once, or whether the irreversibil- 
ity of measurement makes such a state "disposable." 
In our setting, disposable states might actually be pre- 
ferred — since any disposable state is copy-protected by 
definition! (If we could copy pf with high fidelity, then 
we could run each copy on a different input x, contrary 
to assumption.) However, it is not hard to see that, 
provided the customer buys k = Q (n) copies of pf from 
the quantum software store, she can evaluate / on as 
many inputs as she likes — indeed, all 2" of them, if she 
has exponential time. For by standard amplification, 
pj k can be used to evaluate / with error probability 
2 _n w. So by Lemma [U it is possible to reuse p® k an 
exponential number of times, by uncomputing garbage 
after each measurement. 

In this paper, we will typically assume that pf 
"comes from the store" already amplified, and that 
both customers and would-be software pirates can 
therefore reuse pf as many times as needed. This 
raises an interesting point: given an amplified state 
Pf — er® fc , a customer willing to tolerate slightly higher 
error could always split pf into a® k / 2 ®a® k / 2 , and give 
one of the copies of a® k l 2 to a friend (rather like donat- 
ing a kidney). We leave as an open question whether 
it is possible to amplify success probability in a way 
that does not allow this sort of sharing. 

Third, call the function family J- and distribu- 
tion T> quantumly learnable with error S if there exist 
polynomial-size quantum circuits Q and C such that 

Pr [C (Q / , x) outputs / (x)] >l-5, 

where Q* denotes the mixed state output by Q given 
oracle access to /. (Note that Q does not receive x.) 
The following simple proposition delimits the function 
families that one can hope to copy-protect. 



Proposition 1 No (J 7 , T>) pair that is quantumly 
learnable with error 8 can be quantumly copy-protected 
with security 5 + 2~ n . 

Proof. Using an amplified state of the form pj poly< -™^ ; 
a pirate can simulate quantum oracle access to / 
with exponentially small error. The pirate can 
thereby use the learning algorithm Q* to output as 
many states 07 as he wants with the property that 
Pr^gc [C(a f ,x) outputs / (x)] > l-5-2~ n . Note 
that by LemmaQ] each "query" to / damages p® poly ^ 
by only an exponentially small amount. ■ 

Notice that if |J-"| < poly(n), then T is quantumly 
learnable (and indeed classically learnable), since the 
learning algorithm Q simply needs to hardwire inputs 
x%,..., £|;f|-i such that every distinct /,/'£/ differ 
on some Xi . Thus, one corollary of Proposition[T]is that 
we can only hope to copy-protect superpolynomially 
large function families. 

Let us end with a simple but important fact, which 
shows that, as in the quantum money case, we can only 
hope for security under computational assumptions. 

Proposition 2 A software pirate with unlimited com- 
putational power can break any quantum copy- 
protection scheme. 

Proof. Let / and g be two functions in J 7 , and assume 
there exists an x <E {0,1}" such that / (x) ^ g(x). 
Then letting pf and p g be the quantum programs for 
/ and g respectively, the fidelity F (pf, p g ) must be at 
most e, for some e bounded away from 1 by a constant. 
(Otherwise pf and p g would lead to the same answers 
on x with 1 — o(l) probability.) This implies that 
F(pJ k ,p® k ) < e k . So if we choose k sufficiently large 

(say, more than 2m) , then the set of states | pj k j 

is extremely close to an orthonormal basis. Thus, as 
in the algorithm of Ettinger, H0yer, and Knill [10] for 
the nonabelian Hidden Subgroup Problem, there must 
be a measurement of pj k (possibly exponentially hard 
to implement) that outputs / with high probability. ■ 

3 Quantum Money 

We now consider the problem of developing public- 
key quantum money schemes. First, in Section 13 - 1 1 
we propose an explicit candidate scheme for public- 
key quantum money, based on random stabilizer states. 
Then, in Section 13721 we use the Complexity- Theoretic 
No-Cloning Theorem to construct a quantum oracle 
relative to which public-key quantum money schemes 
exist. 



3.1 The Random Stabilizer Scheme 

Recall that a stabilizer state is a pure state that can 
be obtained by starting from 10)®" and then apply- 
ing controlled-NOT, Hadamard, and 7r/4-phase gates, 
while a stabilizer measurement is a measurement that 
can be performed using those gates together with com- 
putational basis measurements. (See Aaronson and 
Gottesman [2] for details.) Given a security param- 
eter n, let T> n be the uniform distribution over all n- 
qubit stabilizer states. Also, let m, £, e be additional 
parameters such that n/e <C m <C 1/e 2 <C £■ 

To generate a banknote, first the bank prepares I 
stabilizer states \C\) , . . . , \Ci), which are drawn inde- 
pendently from T>„. (It is well-known that any stabi- 
lizer state can be prepared in polynomial time.) The 
bank temporarily remembers the classical descriptions 
of the \Ci) 's, though it can erase those descriptions once 
the preparation procedure is finished. Next, for each 
i G [£], the bank generates to random stabilizer mea- 
surements En, . . . , Ei m as follows. For each j £ [to]: 

• With 1 — e probability, £!y is a tensor product of n 
uniformly random Pauli operators, with a random 
phase. That is, = (— l) b Pi ® • • • ® P nt where 
b is drawn uniformly from {0, 1}, and each P% is 
drawn uniformly from {/, a Xl a y , a z }. 

• With e probability, Eij is a random tensor prod- 
uct of Pauli operators as above, except that we 
condition on the event that jC*) is a +1 eigenstate 
of (that is, E^ \d) = \d)). 

We can represent these £m measurements by a table 
£ = {E i j) i - 1 using (2n + l)lm classical bits. Finally, 
the bank generates an ordinary, classical digital signa- 
ture sig {£) of the table £ , to prove that it and it alone 
could have generated £. The bank then distributes 
(|Ci) , . . . , \Ce) , £, sig (£)) as the quantum banknote. 

To authenticate such a banknote, one does the fol- 
lowing. First check that sig (£) is a valid digital sig- 
nature for £. Next, for each i £ [£}, choose an in- 
dex j (i) £ [to] uniformly at random. Let M be the 
two-outcome measurement that applies to |Ci), 

E 2 j(2) to IC2), and so on up to \Ct), and that accepts if 
and only if the majority of these measurements return 
a +1 outcome (corresponding to \d) being a +1 eigen- 
state of Eij(i)). Then apply M to \d) ® • • • ® \d), 
accept if and only if M accepts, and finally apply un- 
compute to get rid of garbage. 

By construction, each \d) will be measured to be 
in a +1 eigenstate of E^u-s with independent proba- 
bility i=£ + £ = 1/2 + e/2. So by a Chernoff bound, 
the probability that M rejects is bounded away from 1. 
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Indeed, we can make the probability that M rejects ex- 
ponentially small, by simply taking t to be sufficiently 
larger than 1/e 2 . By Lemma [TJ this implies that when 
we uncompute, we recover a state that is exponentially 
close to \Ci) ® • • • ® \Ci) in trace distance — which in 
turn implies that we can reuse the quantum banknote 
an exponential number of times. 

On the other hand, we conjecture the following: 

Conjecture 1 Given (|Ci) , \Cg) , £, s), it is com- 
putationally infeasible not only to recover classical de- 
scriptions of the states \C\) \Ct) , but even to pre- 
pare additional copies of these states — or for that mat- 
ter, of any states that are accepted by the authentication 
procedure with non-negligible probability. 

The intuition behind Conjecturc[T]is this: recovering 
classical descriptions of \C\) , . . . , \ Ct) given £ can be 
seen as a random instance of the noisy decoding prob- 
lem for linear codes, which is known to be NP-complete 
in the worst case (see Berlekamp et al. [9]). Further- 
more, while it is conceivable that a counterfeiter could 
use her knowledge of £ to copy the |Cj) 's without learn- 
ing classical descriptions of them, we have not found 
an efficient way to do this. Indeed, it seems possible 
that to a polynomial-time quantum algorithm — even 
one with knowledge of £ — the |Cj)'s are actually indis- 
tinguishable from n-qubit maximally mixed states. 

Note that the scheme is not secure if m < n/e — 
since then finding an n-qubit stabilizer state \Ci) that 
is accepted by an e fraction of the measurements 
Ei\,...,Ei m is a trivial problem, solvable by Gaus- 
sian elimination. Likewise, the scheme is not se- 
cure if e is too large (say, greater than l/*/m) — 
since then one can recover the stabilizer group of jCj), 
with high probability, by listing all measurements in 
the set {En, . . . , Ei m } that commute with suspiciously 
more than half of the other measurements in the set j 16 l 
Thus, Conjecture Q] can only hold for suitable parame- 
ter ranges. 

3.2 Oracle Result 

If we allow ourselves the liberty of a quantum oracle, 
then we can prove the following. 

Theorem 8 There exists a quantum oracle U rela- 
tive to which a public-key quantum money scheme ex- 
ists. (Here all parties — the bank, authenticators, and 
counterfeiters — have the same access to U ; no party 
has "inside information" about U that is not available 
to others.) 

16 We thank Peter Shor for this observation. 



By "quantum oracle," we simply mean a unitary 
transformation U that can be applied in a black-box 
fashion. (We may assume controlled-C/ and t/ _1 are 
also available; this does not particularly affect our 
results.) Quantum oracles were first studied in a 
complexity-theoretic context by Aaronson and Kuper- 
berg |3], where they were used to exhibit an oracle 
separation between the classes QMA and QCMA. 

In the proof of Theorem [5J the oracle U does basi- 
cally what one would expect. Firstly, for each possible 
"secret key" s £ {0, 1}" that could be chosen by the 
bank, the oracle maps the state |0) \s) to |0) \s) \e s ) \tps), 
where e s is a classical "public key" chosen uniformly at 
random from {0, l} 3 ", and \tf> s ) is an n-qubit pure state 
chosen uniformly at random under the Haar measure. 
(Of course, after being chosen at random, e s and \tp s ) 
are then fixed for all time by the oracle. Notice that 
with overwhelming probability, there is no pair s, s' 
such that e s = e s /. Also, here and throughout we 
omit ancilla qubits set to |0 • • • 0), when they are part 
of the input to U.) 

Secondly, for each s £ {0, 1}™, the oracle maps the 
state |1) |e s ) \tp s ) to |1) |e s ) \ip a ) |1). On the other hand, 
it maps |1) |e s ) \(f>) to |1) \e a ) \(j>) |0) if \<j>) is orthogonal 
to \tp s ), and |1) |e) \<j>) to |1) |e) \4>) |0) if e ^ e s for every 
s. 

By feeding U inputs of the form |0) |s), the bank 
can prepare and distribute an unlimited number of 
banknotes |e s ) \tp s ). By feeding U inputs of the form 
|1) \e s ) \tp s ), buyers and sellers can then authenticate 
these banknotes. Furthermore, by the optimality of 
Grover's algorithm 7 , it is clear that any would-be 
counterfeiter needs O (2 n / 2 ) queries to U to find the 
secret key s, even if given the public key e s . 

So the real question is this: given e s together with 
\ip s )® k for some k = poly(n), can a counterfeiter, by 
making poly (n) queries to U, prepare a state that 
has non- negligible overlap with IV^) 18 +1 ? We ob- 
serve that a negative answer follows more-or-less im- 
mediately from Theorem [5J the Complexity- Theoretic 
No-Cloning Theorem. 



4 Quantum Copy-Protection 



Having summarized our results about quantum 
money, we now move on to the related problem of copy- 
protecting quantum software. 
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4.1 Two Schemes for Copy-Protecting Point 
Functions 

Recall that a point function f s : {0, 1}" — > {0, 1} 
has the form 



mapping each state l£t2±j|Hij to 



1 if x = s 
otherwise 



In this section we propose two explicit schemes for 
quantumly copy-protecting the family {/ s } sg { n»> of 
point functions. 

The first scheme, which we are grateful to Adam 
Smith for suggesting, uses a pseudorandom generator 
g : {0,1}" — > {0, 1} P ^ , where p is some reasonably 
large polynomial (say n 3 ). Given the secret key s, the 
software vendor first computes g(s), then reinterprets 
g (s) as a description of a quantum circuit U g t a \ over 
some universal basis of gates, which acts on m qubits 
for some m -C n. The vendor then outputs |^ s ) = 
U g u) |0)® m as its quantum program for f s . Given \tp s ), 
the customer can efficiently compute f s (x) for any x, 
by measuring the state \ip s ) in the standard basis 

and then checking whether the outcome is |0)® m . 

Harrow and Low |16j have recently shown that 
random quantum circuits are approximate unitary 2- 
designs. From this it follows that if x ^ s, then 
| ("0a; I ^s) I must be exponentially small with overwhelm- 
ing probability, unless g is insecure against 2 m -time 
classical adversaries. It is also clear that s cannot be 
learned by a polynomial-time measurement on \ij} s )® 
for any k = poly (n) , unless g is insecure against 
polynomial-time quantum adversaries. However, the 
key conjecture is the following: 

Conjecture 2 Given \ip a )® > no polynomial-time 
quantum algorithm can prepare a (k + l) st copy of\ip s ), 
or indeed, any other state from which f s can be effi- 
ciently computed. 

Our second candidate scheme is based on the Hidden 
Subgroup Problem over the symmetric group. Given 
the secret key s e {0, 1}™, the software vendor first 
encodes s, in some canonical way, as a permutation 
t s G S n such that = e is the identity. The vendor 
then prepares a state of the form 



ki) + |qyTs 

V2 



o-k 



\0-kT s 



V2 



where a± , . . . , Ok are permutations chosen uniformly at 
random from S n . Finally, the vendor distributes \tp s ) 
as the (amplified) quantum program for f s . Given 
\ips), the customer can compute f s (x) for any x, by 



- [|0) QtTi) + \<TiT s )) + |1) {\0-iT x ) + \0-iT s T x ))] , 

then Hadamarding the first qubit and measuring it in 
the standard basis. If t x = r s , then outcome |0) will be 
obtained with certainty, while if t x 7^ t s , then outcome 
|1) will be obtained with probability 1/2. 

On the other hand, recovering r s given \ip 8 ) is clearly 
at least as hard as the Hidden Subgroup Problem 
(HSP) over the symmetric group, at least for subgroups 
H < S n of order 2. Solving this special case of HSP 
would lead to a polynomial-time quantum algorithm 
for the Rigid Graph Isomorphism problem. Further- 
more, Hallgren et al. |15) have shown that any quan- 
tum algorithm for recovering r s would require entan- 
gled measurements on 51 (nlogn) coset states; such an 
algorithm seems beyond present-day techniques. 

Again, though, the conjecture we need is a stronger 
one: 

Conjecture 3 Given \ij) a ), no polynomial-time quan- 
tum algorithm can prepare an additional coset state 
kfc+i)+kfc+iT 3 ) ^ or j^^gg^ an y Qtfoej- state from which 

f s can be efficiently computed. 

The copying problem clearly reduces to HSP, but we 
do not know of a reduction in the other direction. 

4.2 Oracle Result 

Our main result about quantum copy-protection is 
the following: 

Theorem 9 There exists a quantum oracle U , rela- 
tive to which any family T of efficiently computable 
functions that is not quantumly learnable can be quan- 
tumly copy-protected (with security S, against pirates 
mapping k programs to k + r with (1 — 26) r > k). 

By a function family T being "quantumly learn- 
able," we mean that given quantum oracle access to 
any function / e J, one can in polynomial time pre- 
pare a state \<Pf) from which / can then be computed 
in polynomial time without further help from the ora- 
cle. As discussed before, it is clear that no learnable 
family of functions can be copy-protected. Theorem 
[5] says that this is the only relativizing obstruction to 
quantum copy-protection. 

In the remainder of this section, we explain the es- 
sential steps in the proof of Theorem [9l in the special 
case where we only need to protect against pirating 
algorithms that more than double the number of pro- 
grams. 
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The oracle U does the following. Given as input 
a state of the form |0) \df), where df is a classical de- 
scription of a Boolean function / e T , the oracle out- 
puts |0) \df) \Kf) \tpf), where Kf is a random classical 
codeword specifying /, and \ipf) is a 2n-qubit "code 
state" chosen uniformly at random under the Haar 
measure for each /. Given as input a state of the 
form |1) \Kf) \ipf) \x), for some x £ {0, 1}™, the ora- 
cle outputs |1) \Kf) \ij)f) \x) |/ (x)). Given as input a 
state of the form |1) \Kf) |</>) \x), for any \<fi) orthogonal 
to \ipf), the oracle outputs |1) \Kf) \<f>) \x) |0). 

It is clear that, for any function / € T \ the soft- 
ware vendor can create and distribute states of the 
form \Kf) \ipf), from which / (x) can be efficiently com- 
puted for any input x. Furthermore, by the optimality 
of Grover's algorithm, a software pirate has little hope 
of using the oracle U to find df, given only Kf. As 
in the quantum money case, the real question is this: 
given the state \Kf) \tpf)^ k for some k = poly (n), can 
a quantum pirate produce I > k programs for / using 
only poly (n) queries to U? 

The Complexity- Theoretic No-Cloning Theorem 
suggests that the answer should be no. However, 
we now have to handle a new difficulty that did not 
arise in the money case. The new difficulty is that 
for certain function families IF — namely, the learnable 
families — we know that it is possible to pirate \tpf) 
efficiently, by using \ipt) to simulate an oracle for /, 
and then learning a new quantum program for / just 
from fs input/output behavior. Thus, our proof will 
need to show that learnability is the only obstacle to 
copy-protection. Or taking the contrapositive, we 
need to construct a simulator, which takes as input a 
polynomial-time algorithm for pirating \ipf), and con- 
verts it into a polynomial-time algorithm that learns a 
quantum program for / using only oracle access to / 
(and no oracle access to U). 

How should the simulator work? For simplicity, let 
us restrict ourselves to simulators that use the pirating 
algorithm as a black box in constructing the learning 
algorithm. Intuitively, what the simulator ought to do 
is 

(1) "mock up" its own stand-in \K) \tp)® k for the state 
\Kf)\^ff\ 

(2) run the pirating algorithm on \K) \(p)® k , using the 
simulator's own oracle access to / to simulate the 
pirating algorithm's oracle calls to U on inputs of 
the form |1) \Kf) \ipf) \x), and then 

(3) use the output of the pirating algorithm to get an 
oracle- free quantum program for /. 



The idea behind step (3) is as follows: we know that 
at least some of the programs output by the pirating 
algorithm must not make essential use of the oracle U. 
For the oracle can only be usefully accessed via the 
"pseudorandom" state \<p) — and by the Complexity- 
Theoretic No-Cloning Theorem, the simulator cannot 
have produced any additional copies of \<p). 

However, already at step (1) of the above plan, we 
encounter a problem: in the oracle world, the states 
\ipf) were chosen uniformly at random under the Haar 
measure. In polynomial time, with no oracle access, 
how does one "mock up" a 2n-qubit state | ip) such that 
\<p)® k behaves indistinguishably from k copies of a uni- 
form random state? This is the question that we an- 
swer in the full version using Theorem [3J which gives 
an explicit quantum t-design for arbitrary t = poly (n) 
with the properties we need. 

Let us now explain how the pieces are put together. 
Assume that (1 — 2d) r > k. Suppose we are given 
a pirating algorithm that takes \ipf) as input (for a 
given / G J-), makes T queries to the quantum ora- 
cle U , and outputs k + r possibly-entangled quantum 
programs erf , ... , cf +r . such that 

k+r 

V Pr [L u (erf, x) outputs / (x)] >k + (l-8)r. 
~^ (f,x)eT> 

From this pirating algorithm, we want to obtain a 
polynomial-time algorithm that uses oracle access to / 
to learn an (oracle- free) quantum program for /. Here 
is how it works: 

(1) The simulator chooses some t = poly (k, T, n). It 
then chooses a 2n-qubit state \<p) uniformly at ran- 
dom from a quantum i-design, in the sense of The- 
orem [3] The simulator also chooses a random 
string K . 

(2) The simulator creates a simulated oracle U, which 
maps |l>|ir) b)|a:> to \l)\K)\<p)\x)\f(x)) and 
|1) \K) \<t>) \x) to |1) |iQ \(f>) \x) |0) for every \<j>) or- 
thogonal to \(p). (As a technicality, U does noth- 
ing on inputs of the form |0) |d/)03) Note that U 
can be implemented in polynomial time, using the 
simulator's oracle access to /. 

(3) The simulator runs the pirating algorithm, except 
with \tp)® k in place of \K f ) \^ f )® k for the in- 

17 For simplicity, we are assuming it is exponentially hard for 
anyone but the software vendor to guess the classical description 
df for even a single function / 6 T — in which case, no one but 
the software vendor ever has anything to gain by querying U on 
inputs of the form |0) \d). With slightly more work, one can 
remove this assumption, and even assume df has some standard 
form such as a description of a circuit for /. 
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put, and queries to U in place of queries to U. 
The simulator outputs |$), the output of the pi- 
rating algorithm, as its candidate for an oracle-free 
quantum program for /. 

(4) Let <7i , . . . , crfc+ r be the (possibly-entangled) reg- 
isters of |$) corresponding to the k + r pirated 
programs. Then given an input x £ {0, 1}™ and 
freeloading algorithm L, one computes / (x) as fol- 
lows. Choose i £ [k + r] uniformly at random; 
then run L u (cr^x) with U replaced by the iden- 
tity transformation, and return L's output as the 
guess for / (x) . 

We claim that step (4) outputs / (x) with probabil- 
ity non-negligibly greater than 1/2. Notice that one 
can amplify the success probability by repeating steps 
(l)-(3) t' — poly (n) times to obtain the state |$}® , 
then repeating step (4) on each copy of |$) and out- 
putting the majority answer. 

The argument goes as follows. By Theorem [5] (the 
Complexity-Theoretic No-Cloning Theorem), it is im- 
possible to use the original pirating algorithm to pro- 
duce k + 1 copies of the Haar-random state \ipf). In- 
deed, there cannot even be a single input x € {0, 1}" 
such that given x, one can use the output of the pirat- 
ing algorithm (together with poly (n) additional queries 
to U) to prepare k + 1 copies of \tpf). For then, by 
simply guessing x and then using amplitude amplifica- 
tion, one could prepare k + 1 copies of \tpf) using only 

(\/2™ poly (n)) queries to U, whereas Theorem[2]im- 
plies that f2 (2 n / poly (n)) queries are needed. (This is 
why we stipulated that \ipf) has In qubits rather than 

71.) 

By Theorem^ it follows that the output |<&) cannot 
be used to prepare k + 1 copies of \<p) in the simulated 
case either — for otherwise, we would be able to distin- 
guish the real case from the simulated one. 

As a consequence, when we run L u (<7j, x) for each 

1 £ [k + r], at least r of the k + r invocations must be 
unaffected when U is replaced by the identity transfor- 
mation. For if an invocation is affected, then by the 
BBBV lower bound [7| , it must at some point have fed 
U an input state that has f2 (1/ poly (n)) fidelity with 
some state of the form |1) \K) \ip) a y \v)- For those 
are the only states on which U behaves differently from 
the identity transformation. Thus, we can prepare a 
"clock state" of the form -7= J2t=i l*)> an d use that 
state to determine how many steps t of L to apply to 
<Ji . We can then apply poly (n) steps of amplitude am- 
plification to the joint state of the clock register and 
the Ui register, searching for a marked item of the form 
\t) ® \<p) for any t. This will produce, in the Oi register, 



a state having 1 — e fidelity with | ip) . But we already 
decided that this can be done for at most k registers. 
In summary, the expression 



k+r 

\^ Pr L u (<7i,x) outputs / (x) 

r— f (f,x)ev L 
1— 1 



can decrease by at most (say) k + 2~ n when U is re- 
placed by /. Since (1 — 5) r > k + 5r, this means the 
sum is at least 

k + (1 - 6) r - (k + 2-") = (1 - 5) r - 2"" 

> k + Sr - 2~ n . 

So for i £ [k + r] chosen randomly, L 1 (<Tj, x) outputs 
the correct value of / (x) with probability bounded 
above 1/2, as claimed. 

5 Open Problems 

Can we find more explicit candidate schemes for 
public-key quantum money — and better yet, prove 
such a scheme secure under a standard assumption? 

Can we find candidate schemes for quantumly copy- 
protecting richer families of functions than just point 
functions? What about trapdoor inversion functions? 

Can we prove a scheme for copy-protecting point 
functions (such as those in Section \4~T\i secure under a 
standard assumption? 

Can we improve Theorem[9]to remove the restriction 
on r? 

Can a public-key (or at least query-secure) quan- 
tum money scheme exist, that does not require multi- 
qubit entanglement in the banknotes? What about a 
scheme for copy-protecting point functions that does 
not require multi-qubit entanglement in the programs? 

Can we show that public-key quantum money 
schemes exist relative to a classical oracle, rather than 
a quantum oracle? What about nontrivial copy- 
protection schemes? 

Is there a way to amplify a quantum program 
"unsplittably" — i.e., such that one cannot efficiently 
decompose the amplified program into two somewhat- 
less-amplificd programs, as p® k can be decomposed 
into p® k l' 2 ® p® k l 2 l 

Can we improve the parameters of the Complexity- 
Theoretic No-Cloning Theorem? 

Can the Goldreich-Goldwasser-Micali reduction [12] 
from PRGs to PRFs be adapted to work in the presence 
of quantum adversaries? 

Can we find a function family which is quantumly 
obfuscatable, but is not (or is not known to be) classi- 
cally obfuscatable? 
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Can we give constructions for unclonable quantum 
ID cards or quantum proofs? How do these function- 
alities relate to money and copy-protection? 

What can we say about information-theoretically se- 
cure quantum copy-protection, in the regime where the 
number of copies of the quantum program is assumed 
to be small? 
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